CCleaner is a popular Windows utility used by many millions of internet users to remove cookies, wiped browsing histories, and clean-up temporary internet files where malware might be lurking.
It’s the kind of tool that many tech-savvy Windows users rely upon to speed up and optimise their PCs.
It’s not the sort of program that they expect to introduce malware onto their systems. But unfortunately, that’s precisely what appears to have occurred.
Because CCleaner has suffered a “security incident” which saw users updated with a legitimate digitally-signed version of the software which opened a malicious backdoor.
The scale of the potential threat cannot be underestimated. Last year, CCleaner was boasting that it had been downloaded in total over two billion times, and was seeing five million additional users per week.
As a security notification on CCleaner’s support forum explains, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised.
Once in place, the malware would wait five minutes, determine if the user had admin privileges, and then steal information from PCs, such as the computer’s name, a list of installed software and Windows updates, running processes, MAC addresses of network adapters alongside additional information.
The stolen data was then sent to a US-based server under the control of a hacker.
Researchers at Cisco Talos, who first identified the problem, discovered that the installer for CCleaner v5.33 – first delivered to users’ computers by the legitimate CCleaner download servers on August 15, 2017 – was the culprit.
What make things most concerning is that the malicious code was digitally signed using a valid digital certificate issued to the software’s developer Piriform, who were acquired by anti-virus firm Avast just two months ago.
Cisco Talos researchers warn that the fact the binary was digitally signed using the software developer’s valid certificate is of particular concern:
“…it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”
Cisco Talos researchers immediately informed Avast of the problem, and offending versions of the CCleaner installer containing the malicious payload are no longer available from the CCleaner download website. Law enforcement agencies have also been informed of the situation, and the third-party server that was set up to receive stolen data has been taken down.
It goes without saying that anyone still using version 5.33 of CCleaner needs to update to the (safe) version 5.34 as soon as possible. This message needs to especially get out to users of the free edition of CCleaner, as it does not feature automated updates and requires them to manually download updates. (Of course, the lack of automatic updates for the free edition of CCleaner may actually have reduced the total number of users put at risk by the compromised version.)
It’s worth pointing out that you may want to go one step further than just downloading a fixed version of CCleaner. After all, if you ran version 5.33 of CCleaner your PC may have been compromised. It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.
And, if you’re in any doubt as to the scale of the potential threat, cast your mind back a few months when ransomware spread around the world after being seeded through a malicious automatic update to a popular Ukrainian accounting software, or when in late 2016 attackers hijacked Ask Toolbar updates to install suspicious code.
For more discussion of the CCleaner security incident, be sure to listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.